Mitigate against inevitable smartphone losses

Whatever else you do, "Assume your smartphone will be lost or stolen and plan accordingly," says David Porter, head of security and risk at Detica consultancy.

Whatever else you do, "Assume your smartphone will be lost or stolen and plan accordingly," says David Porter, head of security and risk at Detica consultancy.

"I see far more careless people losing their phones, than identity thieves out on smartphone raids.

"People need to guard their smartphones as they do any other valuable possession, such as their wallet or handbag," he says.

In the future we may have to worry more about malware on mobile phones and PDAs, explains Eric Domage, research manager for security products and services at analyst IDG, but we do not yet know what impact it will have. "But loss and theft are happening now."

Furthermore, criminals are increasingly targeting specific organisations, he says. During the burglary in March of Eiffage BTP's offices in Haut-du-Lièvre, four laptops containing plans to the new Maxévilleprison were stolen from the offices, while no other computers or businesses in the same building were touched.

"We have been giving users new productivity tools which are normally mobile, but the basic, basic, danger is theft or loss," he says, and stresses that it is not complicated.

"Data protection is encryption, and basic encryption is free."


He adds that not encrypting a mobile tool could be seen as dereliction of duty. "People who do not encrypt are now liable," he says.

Domage is not aware of cases where failure to encrypt has resulted in a jail sentence, but he says it is a possibility in the United States, and is probably coming to the UK and the rest of Europe.

Encryption should, therefore, be a matter of enterprise policy, and that policy should extend such that, "Any additional memory chips should also be encrypted, not just the phone's main internal memory. Subscriber Identity Modules (Sims) should be protected with a password and the phone with another, and these passwords should be extremely hard to guess and changed every month, every week or even every day, depending on how valuable the data is. The phone should also be made to self-lock within 30 seconds of non-usage," says Porter.

To ensure such a policy is followed, Domage advocates smartphones with out-of-the-box encryption, centralised control that dictates allowed Wi-Fi connections, enforces virtual private network use, and manages updates.


He also suggests that Bluetooth is disabled because its relevance to business operations is marginal, but that it opens an attack channel that is sometimes exploited, albeit rarely.

Nevertheless, in the future securing smartphones is likely to become more complicated. And despite the failure of anybody to collect the $10,000 prize at a recent smartphone hacking fest (PWN2OWN), the number of mobile platforms continues to grow with Android, Apple mobile OS, Symbian OS, Windows Mobile, and Palm, which serves to broaden the target.

A smartphone is just a PC in the pocket but one we will not do without, almost regardless of risk.

"Information security professionals need to plan how to accommodate a new generation of hyper-connected employees using smartphones.

It is no longer viable for security professionals to deal with the threats by banning use of mobile internet phones." says John Colley, managing director for EMEA at (ISC)2.

Smart phone security guide

● Encrypt data and communications.

● Password protect wherever possible.

● Do not store confidential material on the phone, but on a remote server.

● Do not install untrusted software.

● Do not browse unknown sites or open attachments from strangers.

● Deactivate unused connections such as Wi-Fi and Bluetooth.

● Assign an ID number to each mobile device and keep track of who is using it.

● Use a "Lock and Wipe" service that prevents the device from being used when lost or stolen.

● Make sure your mobile devices and data are covered by insurance.

● Train your staff to use these devices and understand the security issues.

● Draw up an "acceptable use" policy and ask users to confirm their understanding.

● Do not allow mobile devices to have access to sensitive corporate data, without strong security measures (virtual private networks, authentication and encryption).

● Check your data allowance and infrastructure can handle the likely increase in traffic mobility will bring.

● Channel e-mail through existing content filters and manage e-mail security at the gateway.

● Use malware detection.

● Personalise phones to detect any quick handset swapping.

● Ban phones from sensitive meetings, or remove batteries to guarantee the phone is off.

● Never let your phone out of your sight.

Read more on Mobile hardware